luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Seal Migration doc update (#8405)

Browse source
This commit is contained in:
Vishal Nayak 2020-02-21 06:57:48 -05:00 committed by GitHub
parent 2980d06e5a
commit 348cf9f52f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
website/pages/docs/concepts/seal.mdx
View file

@ -91,7 +91,8 @@ For a list of examples and supported providers, please see the
## Seal Migration
The seal can be migrated from Shamir keys to Auto Unseal and vice versa.
The seal can be migrated from Shamir keys to Auto Unseal, Auto Unseal to Shamir
keys and Auto Unseal to another Auto Unseal.
~> **NOTE**: The migration operation will require both seals to be available
during the migration. For example, a migration from a cloud KMS seal to
@ -127,6 +128,9 @@ are entered, the recovery keys will be migrated to be used as unseal keys.
### Migration From Auto Unseal to Auto Unseal
~> **NOTE**: Migration between same Auto Unseal types is not currently
supported. We plan to support this officially in a future release.
To migrate from Auto Unseal to a different Auto Unseal configuration, take your server
cluster offline and update the existing [seal configuration](/docs/configuration/seal)
and add `disabled = "true"` to the seal block. Then add another seal block to describe
@ -137,6 +141,19 @@ use the Recovery Keys to perform the migration. All unseal commands must specify
the `-migrate` flag. Once the required threshold of recovery keys are entered,
the recovery keys will be kept and used as recovery keys in the new seal.
### Migration with Integrated Storage
Integrated Storage uses the Raft protocol underneath, which requires a quorum of
servers to be online before the cluster is functional. Therefore, bring the
cluster back up one node at a time with the seal configuration updated, will not
work in this case. Follow the same steps for each kind of migration described
above with the exception that after the cluster is taken offline, update the
seal configurations of all the nodes appropriately and bring them all back up.
When the quorum of nodes are back up, Raft will elect a leader and the leader
node will perform the migration. The migrated information will be replicated to
all other cluster peers and when the peers eventually become the leader,
migration will not happen again on the peer nodes.
## Recovery Key Rekeying
During Auto Seal initialization process, a set of Shamir keys called Recovery Keys are